Automatic generation of ISO 17799 compliance requirements

Abstract

Security is a protection of any entity which is valuable to people. Nowadays, organizations are highly concerned about the security on their assets. To achieve better security control in the organization, most of the organizations are willing to make more efforts on security controls. Therefore, they would setup information security model (ISM) to maintain their security information. ISM is a model which assists the data collection for auditing. The legislative and regulatory requirements are the basic requirements of the information security of the organization. Each organization would have their internal policies which are more suitable to their unique business environment. Those policies would base on the information security standards like ISO/IEC 17799, NERC 1200, NIST SP 800-53. The security controls in the organization would conform to those standards. The compliance auditing would check the security controls whether they obey the standards and the internal security policies or not. This process would be performed by the security experts regularly. Based on the experts’ knowledge, the compliance requirement would be created or updated for each compliance auditing. In this project, it aims to develop an automatic compliance requirement generator. The security expert could select the course of the information security standards and the data in ISM. According to their knowledge and experience, they would choose the compliance requirement conditions to link up with the standards and ISM data. The system would form the compliance requirements in XML format.